1 Signatures vs. MACs

Transcription

1 CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures are the public-key version of message authentication codes:anybody can verify. Can be thought of as digital analogue" of handwritten signatures (but are in fact stronger). Unlike MACs signatures are: 1. Publicly veriable - anybody can verify their validity. 2. Transferable - recipient can show the signature to another party who can then verify that the signature is valid (this follows from public veriability). 3. Non-repudiable - If Alice digitally signs a document, then Bob can prove to a third party (e.g. a court) that she signed it, by presenting the document and her signature. By denition, only Alice could have produced a valid signature. Notice that MACs cannot have this property. None of the parties holding the key can claim the other one has signed. This is because it might be the case that the other party has actually signed. MACs are more ecient in practice. 2 Syntax Denition 1 A digital signature scheme consists of three algorithms (G, S, V ) such that: The key generation algorithm G is a randomized algorithm that returns a public key PK and a secret key SK ; we write (PK, SK ) R G(1 n ). The signing algorithm S is a (possibly) randomized algorithm that takes the secret key SK and a message m and outputs a signature σ; we write σ R S SK (m). The verication algorithm V is a deterministic algorithm that takes the public key PK, a message m, and a signature σ, and outputs V PK (m, σ) {accept, reject}. We require V PK (m, S SK (m)) = accept for all (PK, SK ) R G(1 n ) and m {0, 1}. 1

2 2.1 Comments 1. The sender needs secret key, opposite from public-key encryption. Alice will send a message encrypted with Bob's public key but signed with Alice's secret key. However, digital signatures and public key encryption are not duals" of each other (as one might be tempted to think). 2. It is conceivable that the sender keeps state between signatures and we will allow this in some cases. 3. Similarly to MAC, randomization is not necessary. 4. Note that we do not require any formatting on the messages and they could be arbitrary strings. Sometimes it is required that messages obey some pre-specied format" (possibly depending on PK ). In such a case, it is required to explicitly specify how to map arbitrary strings into a string that obeys this format. 3 Security Denition 2 (existential unforgeability under adaptive chosen message attack) A signature scheme (G, S, V ) is secure if for every PPT A, there is a negligible function ε such that Pr [ A S SK ( ) (PK ) forges ] ε(k) k, where the probability is taken over (PK, SK ) R G(1 k ) and the coin tosses of A. A forges A produces a pair (m, σ) for which (a) V PK (m, σ) = accept, and (b) m is dierent from all of A's queries to the S SK -oracle. 3.1 Comments 1. Denition is strong: (a) A gets access to signatures on messages of its choice. (b) A forges even if m it has produced is meaningless." These are indeed strong requirements. However, if we can satisfy them, we can certainly satisfy weaker requirements. Also, this will give us signature schemes which are application independent (in particular, will be suitable for use regardless of the formatting/semantics of the messages being signed). As for Item (1), in practice this can happen. For example, notary would conceivably sign on any document regardless of its contents. 4 Applications Here are some applications of signatures. 1. Can be used for public-key infrastructure (without public directory): One trusted party (certicate authority, e.g. Verisign) has a public key known to everyone, and signs individual's public keys, e.g. signs statement like m = `Verisign certifies that PK Alice is Alice's public key' 2

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.

Part VII Digital signatures CHAPTER 7: Digital signatures Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

CHAPTER 7: DIGITAL SIGNATURES Digital signatures are one of the most important inventions/applications of modern cryptography. Part VII Digital signatures The problem is how can a user sign (electronically)

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

Message authentication and " Message authentication digital signatures verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non!repudiation

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

Nicolas T. Courtois - University College of London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal

Nicolas T. Courtois - University College London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal Aspects

Implementation and Comparison of Various Digital Signature Algorithms -Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the

Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the